tls artifacts: list ondisk locations alongside secret/configmaps

TLS artifact reports prefer in-cluster locations, so that they can be
assigned metadata via annotations. This change prints other ondisk
locations so that secret/configmap could be linked to the file
on disk

pkg/certs/types.go

@@ -1,6 +1,7 @@
 package certs
 
 import (
+	"fmt"
 	"strings"
 
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
@@ -14,6 +15,9 @@ type OnDiskLocationByPath []certgraphapi.OnDiskLocation
 type CertKeyPairInfoByOnDiskLocation map[certgraphapi.OnDiskLocation]certgraphapi.PKIRegistryCertKeyPairInfo
 type CABundleInfoByOnDiskLocation map[certgraphapi.OnDiskLocation]certgraphapi.PKIRegistryCertificateAuthorityInfo
 
+type CertKeyPairByLocation []certgraphapi.PKIRegistryCertKeyPair
+type CertificateAuthorityBundleByLocation []certgraphapi.PKIRegistryCABundle
+
 func (n SecretRefByNamespaceName) Len() int {
 	return len(n)
 }
@@ -59,3 +63,43 @@ func (n OnDiskLocationByPath) Swap(i, j int) {
 func (n OnDiskLocationByPath) Less(i, j int) bool {
 	return strings.Compare(n[i].Path, n[j].Path) < 0
 }
+
+func BuildCertKeyPath(curr certgraphapi.PKIRegistryCertKeyPair) string {
+	if curr.InClusterLocation != nil {
+		return fmt.Sprintf("ns/%v secret/%v", curr.InClusterLocation.SecretLocation.Namespace, curr.InClusterLocation.SecretLocation.Name)
+	}
+	if curr.OnDiskLocation != nil {
+		return fmt.Sprintf("file %v", curr.OnDiskLocation.OnDiskLocation.Path)
+	}
+	return ""
+}
+
+func BuildCABundlePath(curr certgraphapi.PKIRegistryCABundle) string {
+	if curr.InClusterLocation != nil {
+		return fmt.Sprintf("ns/%v configmap/%v", curr.InClusterLocation.ConfigMapLocation.Namespace, curr.InClusterLocation.ConfigMapLocation.Name)
+	}
+	if curr.OnDiskLocation != nil {
+		return fmt.Sprintf("file %v", curr.OnDiskLocation.OnDiskLocation.Path)
+	}
+	return ""
+}
+
+func (n CertKeyPairByLocation) Len() int {
+	return len(n)
+}
+func (n CertKeyPairByLocation) Swap(i, j int) {
+	n[i], n[j] = n[j], n[i]
+}
+func (n CertKeyPairByLocation) Less(i, j int) bool {
+	return strings.Compare(BuildCertKeyPath(n[i]), BuildCertKeyPath(n[j])) < 0
+}
+
+func (n CertificateAuthorityBundleByLocation) Len() int {
+	return len(n)
+}
+func (n CertificateAuthorityBundleByLocation) Swap(i, j int) {
+	n[i], n[j] = n[j], n[i]
+}
+func (n CertificateAuthorityBundleByLocation) Less(i, j int) bool {
+	return strings.Compare(BuildCABundlePath(n[i]), BuildCABundlePath(n[j])) < 0
+}

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/ownership/requirement.go

@@ -33,7 +33,7 @@ func (o OwnerRequirement) InspectRequirement(rawData []*certgraphapi.PKIList) (t
 	if err != nil {
 		return nil, fmt.Errorf("failure marshalling %v.json: %w", o.GetName(), err)
 	}
-	markdown, err := generateOwnershipMarkdown(pkiInfo)
+	markdown, err := generateOwnershipMarkdown(pkiInfo, rawData)
 	if err != nil {
 		return nil, fmt.Errorf("failure marshalling %v.md: %w", o.GetName(), err)
 	}
@@ -79,7 +79,7 @@ func generateViolationJSON(pkiInfo *certs.PKIRegistryInfo) *certs.PKIRegistryInf
 	return ret
 }
 
-func generateOwnershipMarkdown(pkiInfo *certs.PKIRegistryInfo) ([]byte, error) {
+func generateOwnershipMarkdown(pkiInfo *certs.PKIRegistryInfo, rawData []*certgraphapi.PKIList) ([]byte, error) {
 	certsByOwner := map[string][]certgraphapi.PKIRegistryCertKeyPair{}
 	certsWithoutOwners := []certgraphapi.PKIRegistryCertKeyPair{}
 	caBundlesByOwner := map[string][]certgraphapi.PKIRegistryCABundle{}
@@ -120,18 +120,7 @@ func generateOwnershipMarkdown(pkiInfo *certs.PKIRegistryInfo) ([]byte, error) {
 			md.Title(3, fmt.Sprintf("Certificates (%d)", len(certsWithoutOwners)))
 			md.OrderedListStart()
 			for _, curr := range certsWithoutOwners {
-				if curr.InClusterLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("ns/%v secret/%v\n", curr.InClusterLocation.SecretLocation.Namespace, curr.InClusterLocation.SecretLocation.Name)
-					md.Textf("**Description:** %v", curr.InClusterLocation.CertKeyInfo.Description)
-					md.Text("\n")
-				}
-				if curr.OnDiskLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("file %v\n", curr.OnDiskLocation.OnDiskLocation.Path)
-					md.Textf("**Description:** %v", curr.OnDiskLocation.CertKeyInfo.Description)
-					md.Text("\n")
-				}
+				tlsmetadatainterfaces.PrintCertKeyPairDetails(curr, md, rawData)
 			}
 			md.OrderedListEnd()
 			md.Text("\n")
@@ -140,18 +129,7 @@ func generateOwnershipMarkdown(pkiInfo *certs.PKIRegistryInfo) ([]byte, error) {
 			md.Title(3, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundlesWithoutOwners)))
 			md.OrderedListStart()
 			for _, curr := range caBundlesWithoutOwners {
-				if curr.InClusterLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("ns/%v configmap/%v\n", curr.InClusterLocation.ConfigMapLocation.Namespace, curr.InClusterLocation.ConfigMapLocation.Name)
-					md.Textf("**Description:** %v", curr.InClusterLocation.CABundleInfo.Description)
-					md.Text("\n")
-				}
-				if curr.OnDiskLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("file %v\n", curr.OnDiskLocation.OnDiskLocation.Path)
-					md.Textf("**Description:** %v", curr.OnDiskLocation.CABundleInfo.Description)
-					md.Text("\n")
-				}
+				tlsmetadatainterfaces.PrintCABundleDetails(curr, md, rawData)
 			}
 			md.OrderedListEnd()
 			md.Text("\n")
@@ -162,23 +140,13 @@ func generateOwnershipMarkdown(pkiInfo *certs.PKIRegistryInfo) ([]byte, error) {
 	allOwners.Insert(sets.StringKeySet(caBundlesByOwner).UnsortedList()...)
 	for _, owner := range allOwners.List() {
 		md.Title(2, fmt.Sprintf("%s (%d)", owner, len(certsByOwner[owner])+len(caBundlesByOwner[owner])))
-		certs := certsByOwner[owner]
-		if len(certs) > 0 {
-			md.Title(3, fmt.Sprintf("Certificates (%d)", len(certs)))
+		certificates := certsByOwner[owner]
+		if len(certificates) > 0 {
+			md.Title(3, fmt.Sprintf("Certificates (%d)", len(certificates)))
 			md.OrderedListStart()
-			for _, curr := range certs {
-				if curr.InClusterLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("ns/%v secret/%v\n", curr.InClusterLocation.SecretLocation.Namespace, curr.InClusterLocation.SecretLocation.Name)
-					md.Textf("**Description:** %v", curr.InClusterLocation.CertKeyInfo.Description)
-					md.Text("\n")
-				}
-				if curr.OnDiskLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("file %v\n", curr.OnDiskLocation.OnDiskLocation.Path)
-					md.Textf("**Description:** %v", curr.OnDiskLocation.CertKeyInfo.Description)
-					md.Text("\n")
-				}
+
+			for _, curr := range certificates {
+				tlsmetadatainterfaces.PrintCertKeyPairDetails(curr, md, rawData)
 			}
 			md.OrderedListEnd()
 			md.Text("\n")
@@ -188,19 +156,9 @@ func generateOwnershipMarkdown(pkiInfo *certs.PKIRegistryInfo) ([]byte, error) {
 		if len(caBundles) > 0 {
 			md.Title(3, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundles)))
 			md.OrderedListStart()
+
 			for _, curr := range caBundles {
-				if curr.InClusterLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("ns/%v configmap/%v\n", curr.InClusterLocation.ConfigMapLocation.Namespace, curr.InClusterLocation.ConfigMapLocation.Name)
-					md.Textf("**Description:** %v", curr.InClusterLocation.CABundleInfo.Description)
-					md.Text("\n")
-				}
-				if curr.OnDiskLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("file %v\n", curr.OnDiskLocation.OnDiskLocation.Path)
-					md.Textf("**Description:** %v", curr.OnDiskLocation.CABundleInfo.Description)
-					md.Text("\n")
-				}
+				tlsmetadatainterfaces.PrintCABundleDetails(curr, md, rawData)
 			}
 			md.OrderedListEnd()
 			md.Text("\n")

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces/annotation_requirement.go

@@ -48,7 +48,7 @@ func (o annotationRequirement) InspectRequirement(rawData []*certgraphapi.PKILis
 	if err != nil {
 		return nil, fmt.Errorf("failure marshalling %v.json: %w", o.GetName(), err)
 	}
-	markdown, err := o.generateInspectionMarkdown(pkiInfo)
+	markdown, err := o.generateInspectionMarkdown(pkiInfo, rawData)
 	if err != nil {
 		return nil, fmt.Errorf("failure marshalling %v.md: %w", o.GetName(), err)
 	}
@@ -65,7 +65,7 @@ func (o annotationRequirement) InspectRequirement(rawData []*certgraphapi.PKILis
 		violationJSONBytes)
 }
 
-func (o annotationRequirement) generateInspectionMarkdown(pkiInfo *certs.PKIRegistryInfo) ([]byte, error) {
+func (o annotationRequirement) generateInspectionMarkdown(pkiInfo *certs.PKIRegistryInfo, rawData []*certgraphapi.PKIList) ([]byte, error) {
 	compliantCertsByOwner := map[string][]certgraphapi.PKIRegistryCertKeyPair{}
 	violatingCertsByOwner := map[string][]certgraphapi.PKIRegistryCertKeyPair{}
 	compliantCABundlesByOwner := map[string][]certgraphapi.PKIRegistryCABundle{}
@@ -118,23 +118,12 @@ func (o annotationRequirement) generateInspectionMarkdown(pkiInfo *certs.PKIRegi
 		violatingOwners.Insert(sets.StringKeySet(violatingCABundlesByOwner).UnsortedList()...)
 		for _, owner := range violatingOwners.List() {
 			md.Title(3, fmt.Sprintf("%s (%d)", owner, len(violatingCertsByOwner[owner])+len(violatingCABundlesByOwner[owner])))
-			certs := violatingCertsByOwner[owner]
-			if len(certs) > 0 {
-				md.Title(4, fmt.Sprintf("Certificates (%d)", len(certs)))
+			violatingCerts := violatingCertsByOwner[owner]
+			if len(violatingCerts) > 0 {
+				md.Title(4, fmt.Sprintf("Certificates (%d)", len(violatingCerts)))
 				md.OrderedListStart()
-				for _, curr := range certs {
-					if curr.InClusterLocation != nil {
-						md.NewOrderedListItem()
-						md.Textf("ns/%v secret/%v\n", curr.InClusterLocation.SecretLocation.Namespace, curr.InClusterLocation.SecretLocation.Name)
-						md.Textf("**Description:** %v", curr.InClusterLocation.CertKeyInfo.Description)
-						md.Text("\n")
-					}
-					if curr.OnDiskLocation != nil {
-						md.NewOrderedListItem()
-						md.Textf("file %v\n", curr.OnDiskLocation.OnDiskLocation.Path)
-						md.Textf("**Description:** %v", curr.OnDiskLocation.CertKeyInfo.Description)
-						md.Text("\n")
-					}
+				for _, curr := range violatingCerts {
+					PrintCertKeyPairDetails(curr, md, rawData)
 				}
 				md.OrderedListEnd()
 				md.Text("\n")
@@ -145,18 +134,7 @@ func (o annotationRequirement) generateInspectionMarkdown(pkiInfo *certs.PKIRegi
 				md.Title(4, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundles)))
 				md.OrderedListStart()
 				for _, curr := range caBundles {
-					if curr.InClusterLocation != nil {
-						md.NewOrderedListItem()
-						md.Textf("ns/%v configmap/%v\n", curr.InClusterLocation.ConfigMapLocation.Namespace, curr.InClusterLocation.ConfigMapLocation.Name)
-						md.Textf("**Description:** %v", curr.InClusterLocation.CABundleInfo.Description)
-						md.Text("\n")
-					}
-					if curr.OnDiskLocation != nil {
-						md.NewOrderedListItem()
-						md.Textf("file %v\n", curr.OnDiskLocation.OnDiskLocation.Path)
-						md.Textf("**Description:** %v", curr.OnDiskLocation.CABundleInfo.Description)
-						md.Text("\n")
-					}
+					PrintCABundleDetails(curr, md, rawData)
 				}
 				md.OrderedListEnd()
 				md.Text("\n")
@@ -172,27 +150,16 @@ func (o annotationRequirement) generateInspectionMarkdown(pkiInfo *certs.PKIRegi
 		numCompliant += len(v)
 	}
 	md.Title(2, fmt.Sprintf("Items That DO Meet the Requirement (%d)", numCompliant))
-	allAutoRegenerateAfterOfflineExpirys := sets.StringKeySet(compliantCertsByOwner)
-	allAutoRegenerateAfterOfflineExpirys.Insert(sets.StringKeySet(compliantCABundlesByOwner).UnsortedList()...)
-	for _, owner := range allAutoRegenerateAfterOfflineExpirys.List() {
+	complaintSet := sets.StringKeySet(compliantCertsByOwner)
+	complaintSet.Insert(sets.StringKeySet(compliantCABundlesByOwner).UnsortedList()...)
+	for _, owner := range complaintSet.List() {
 		md.Title(3, fmt.Sprintf("%s (%d)", owner, len(compliantCertsByOwner[owner])+len(compliantCABundlesByOwner[owner])))
-		certs := compliantCertsByOwner[owner]
-		if len(certs) > 0 {
-			md.Title(4, fmt.Sprintf("Certificates (%d)", len(certs)))
+		complaintCerts := compliantCertsByOwner[owner]
+		if len(complaintCerts) > 0 {
+			md.Title(4, fmt.Sprintf("Certificates (%d)", len(complaintCerts)))
 			md.OrderedListStart()
-			for _, curr := range certs {
-				if curr.InClusterLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("ns/%v secret/%v\n", curr.InClusterLocation.SecretLocation.Namespace, curr.InClusterLocation.SecretLocation.Name)
-					md.Textf("**Description:** %v", curr.InClusterLocation.CertKeyInfo.Description)
-					md.Text("\n")
-				}
-				if curr.OnDiskLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("file %v\n", curr.OnDiskLocation.OnDiskLocation.Path)
-					md.Textf("**Description:** %v", curr.OnDiskLocation.CertKeyInfo.Description)
-					md.Text("\n")
-				}
+			for _, curr := range complaintCerts {
+				PrintCertKeyPairDetails(curr, md, rawData)
 			}
 
 			md.OrderedListEnd()
@@ -204,18 +171,7 @@ func (o annotationRequirement) generateInspectionMarkdown(pkiInfo *certs.PKIRegi
 			md.Title(4, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundles)))
 			md.OrderedListStart()
 			for _, curr := range caBundles {
-				if curr.InClusterLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("ns/%v configmap/%v\n", curr.InClusterLocation.ConfigMapLocation.Namespace, curr.InClusterLocation.ConfigMapLocation.Name)
-					md.Textf("**Description:** %v", curr.InClusterLocation.CABundleInfo.Description)
-					md.Text("\n")
-				}
-				if curr.OnDiskLocation != nil {
-					md.NewOrderedListItem()
-					md.Textf("file %v\n", curr.OnDiskLocation.OnDiskLocation.Path)
-					md.Textf("**Description:** %v", curr.OnDiskLocation.CABundleInfo.Description)
-					md.Text("\n")
-				}
+				PrintCABundleDetails(curr, md, rawData)
 			}
 
 			md.OrderedListEnd()